TGQR 2010Q4 Report.pdf - Teragridforum.org
TGQR 2010Q4 Report.pdf - Teragridforum.org
TGQR 2010Q4 Report.pdf - Teragridforum.org
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
8.7 Security<br />
8.7.1<br />
Security Working Group<br />
A new proposal to support MPC on the portal was reviewed by the Security Working Group. The<br />
new design removes MCP from the portal and moves it to Teragrid resources. One concern was<br />
the protection of the proxy credential while in transit between the portal and the resource. The<br />
group recommended that the portal should delegate this to GRAM vs. GridFTP.<br />
Securing Community Accounts Survey: Victor Hazlewood reviewed the results of a survey sent<br />
to RP security leads in early November. Although not all results have been received, he felt there<br />
was enough information to share with the working group. Nancy began the discussion stating the<br />
goal for this excerise is to have a more uniform development experience across RPs for Science<br />
Gateways building off the information gathered at the "Security Summit" of 2008. The results of<br />
the survey and suggested policy recommendations for RPs is in draft status and available upon<br />
request.<br />
The security team spent a siginificant amout of time responding to serious Linux vulnerabilities.<br />
At on point we were averaging, one per week and when announced, there were no vendor patches<br />
available to mitigate the risk. This created an akward sitiuation where RPs had to find ways to<br />
protect against these threats until patches were forthcoming. For each of these vulnerabilities, the<br />
Security Working Group created a wiki page so the vulnerability status of all RPs could be<br />
tracked. This included identifying which of the production systems were at risk, what controls<br />
could be applied to mitigate the risks until an official patch was released.<br />
During the time of this report there were approximately 11 compromised user accounts and one<br />
login node compromise.<br />
The annual TeraGrid assessment project was completed and accepted during this quarter. This<br />
year’s effort focused on an assessment of the TeraGrid User portal (TGUP) operations and<br />
technologies. The TeraGrid user portal has become and increasingly important piece of the<br />
TeraGrid infrastructure including a common place for many TeraGrid users to get live<br />
information as well as pointers to static information on the portal, POPS, or other TeraGrid<br />
maintained web presences. In addition, a username password login into the TGUP can also be<br />
used to generate short term proxied credentials that can be used for access to TeraGrid resources<br />
central or at the RP’s including queried of properly authorized user records on the TGCDB,<br />
orchestrating file transfers on the TeraGrid and even command line access to TeraGrid sites. The<br />
assessment found that TeraGrid staff were well aware of and taking measures to prevent common<br />
web-based application vulnerabilities. In addition, the TGUP has defined and handled issues of<br />
properly handling and proxying user credentials while accessing the portal. However, the<br />
assessment did identify issues, in addition to these, that warranted further vigilance including<br />
additional requirements for third party (i.e. no TeraGrid RP) hosted systems. During this quarter,<br />
previous drafts were reviewed and discussed in several forums including the security working and<br />
appropriate modifications were made.<br />
8.7.2<br />
Expanded TeraGrid Access<br />
An update of the GSI-SSHTerm software to use the latest jGlobus 2.0 and BouncyCastle TLS<br />
libraries was completed. GSI-SSHTerm is one of the most popular applications in the TGUP, but<br />
the currently deployed version relies on out-of-date security libraries that do not support current<br />
recommended security algorithms such as SHA-256. In Q1 2011 we will be testing this new GSI-<br />
SSHTerm version for production roll-out in the TGUP. Jim Basney assisted the TGUP team with<br />
the necessary Kerberos integration to support the new Vetted/Unvetted account management<br />
process, and also contributed to the TGUP team with InCommon/Shibboleth testing in<br />
preparation for rolling out the production InCommon login capability in the TGUP.<br />
83